EasyJet has been targeted in a cyber attack with the email addresses and travel details of about nine million customers breached.
The low-cost airline said on Tuesday the hack was undertaken by a “highly sophisticated” actor. Its investigation also found that about 2,200 customers had their credit card details stolen.
The scale of easyJet's breach pales in comparison with some of the world's biggest cyber attacks, which include hotel chain Marriott's 500 million customer breach, disclosed in 2018. British Airways also suffered a cyber attack in 2018, with personal data of about 500,000 customers compromised.
Industry experts say easyJet could face fines running into tens of millions of pounds for breaching the General Data Protection Regulation (GDPR).
Under GDPR companies can be penalised by as much as 4 per cent of their global annual revenue, depending on the nature of the incident.
For easyJet, that would be up to £255 million (€286 million), if the “higher maximum” penalty is imposed by the UK Information Commissioner’s Office (ICO).
The airline first became aware of the attack in late January, according to people familiar with the situation. The company notified customers whose credit card details were stolen in early April.
It said it was making public the attack now based on the recommendation of the ICO to minimise any risk of potential phishing attacks, which have risen since the outbreak of Covid-19, for the nine million that had their email and travel details stolen.
It will be contacting those customers over the next few days and no later than May 26th.
This development comes at a difficult time for the low-cost airline. Almost all of its planes have been grounded since the end of March as it was hit by travel restrictions across Europe after countries looked to contain the spread of coronavirus.
EasyJet is also in the middle of a battle with its founder and largest shareholder Stelios Haji-Ioannou over a multibillion-pound order for 107 Airbus aircraft. The airline is holding a general meeting on Friday in response to Mr Haji-Ioannou's resolution to remove four directors, including chairman John Barton and chief executive Johan Lundgren.
“We have a live investigation into the cyber attack involving easyJet,” the ICO said. “People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary.”
However, a large fine of more than £200 million would appear unlikely due to the relatively small number of customers that had their credit card details stolen. No passport details were taken and easyJet said there was no evidence that any personal information of any nature had been misused.
A timely notification of the breach to the authorities may also minimise the fine. The airline had been working with the ICO since January.
The ICO last year said it planned to fine BA £183 million and Marriott £99 million for the 2018 data breaches. However, neither fine has yet been paid after further investigations were deferred.
Mr Lundgren said: “We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated.” – Copyright The Financial Times Limited 2020